|
|
|
Vulnerability Information Wants to Be Free
By: Larry Seltzer
2009-02-25
Article Rating: / 3
There are 2 user comments on this Network Security & Hardware story.
Companies that hide vulnerability information and take months for critical patches don't serve their users well.Some software companies have learned a lesson from
this decade that you don't protect your customers by pretending that
vulnerabilities don't exist in your software. And then there's Adobe.
The
story of the latest zero-day exploit of a vulnerability in their
products tells a sadly familiar tale of how low a priority
vulnerabilities are to the company, and how their instinct is to hide
information. Even though exploits have been in the wild since at least January
and probably December, the company is promising a fix on March 11. Today it
finally revealed that patches for versions 7 and 8 will be released a week
later, March 18.
But what's really galling is the absence of any
information provided by Adobe on the vulnerability until today. That
information, in a
post on the Adobe Product Security Incident Response Team (PSIRT)
blog, is mostly a bunch of links to anti-malware products from third
parties and a few advisories from outsiders on the issue, not details from
Adobe.
In fact, the
only details on the vulnerability that have come out are from the
Sourcefire
Research Team, which followed up with Snort
rules for the exploit and even a
homebrewed patch. The patch is interesting, in that it's just
a
hacked-up AcroRd32.dll from Acrobat Reader 9.0, meaning that they are
redistributing an Adobe file. I can't believe they have Adobe's
permission for
this; the real AcroRd32.dll is digitally signed, so the signature in
the
Sourcefire-hacked version fails. And yet after 2 1/2 days the homebrew
patch is
still up there. Could it be Adobe doesn't want to be so inconsiderate
to their
users as to stop the only protection they can get? And Sourcefire isn't
even
promising that this patch is definitive for the issue, just for the
technique
they described in their other blog entry.
This new vulnerability is a very big deal. We now
know that it affects Acrobat and Reader versions 7 through 9. We know that it
affects Acrobat and Reader on Windows, Linux and Mac OS X. As a practical
matter, exploits would likely be specific to one OS and therefore it will be
Windows, but a targeted attack against OS X or Linux users is perfectly
plausible. Just use the handy
proofs of concept available to anyone.
I came late to the full disclosure camp, and I'm
not as far into it as some. I don't see, for example, a reason to disclose
details of vulnerabilities if there is no public disclosure of them and no
evidence that they are being exploited in the wild. But once there is evidence
that there are exploits in the wild a company has a duty to provide its
customers with information on the vulnerability, how to mitigate it and how to
assess if they are vulnerable. This last point means that proofs of concept are
a valuable defensive tool.
The famous HD Moore explains it in his
Metasploit.com blog: The
Best Defense is Information. At a time when it knew the
vulnerability was being exploited in the wild and must have had samples, Adobe
sat on the information. They only disclosed anything after the Shadowserver
people forced its hand. Adobe customers, if they have brains, will find and
use the outsider tools such as the Sourcefire stuff, but Adobe should be providing
this information. Moore even draws a clear distinction between the behavior of
Adobe and Microsoft; the latter has found religion when it comes to quick
reaction to known exploits.
The people who write the malware have access to
this information if they want. It's only the honest people who are harmed when
companies fail to disclose.
Security Center Editor Larry
Seltzer has worked in and written about the computer industry since
1983.
For insights on security coverage around the Web,
take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap
Hack.
|
|
�������xr80�VӮc�]m!rYST婊PP$$M�8NK3n&�t%_ϖ˖�0Hd&�D��?;;~$rɅklJv9�;�D;;?.ԇP|oQP�o�2t}R �
�tӌ5v��:!�M��p��T�d�>J� &Ԏ@0]2x�6;k:&o4veki #n/ne0S�-ڎIQ>)�N�մH�m(�P8 p(ZB; ?+B4�m$oQT}:�XS=2tНS�[�BTuK4��G�Q�D/0�г;/�PQ~�DXV�m�ڮ�U� ؓڭAx)B�y!l�
�1#o�ݿ!`$nRvn7o\ 205b$��V�,"%0ýе�:s���08juj=nfO-�}KH;R@}k��y�>5I
i�w1 9I
CunOG�r ˺Y4�hm�Ea�jj�T+Wxxo9{�ؖ3{p*sN5��_zJU4Eٿ]vή
$QPw;@�VҝuP\ti\v?
ǁ#�ñ _d}#5��*%`ZJ4��/�ZH�Y^:G�5=(ǭ~o[%M�R?4,fϷ��3�+i3*,GQD~6/NM㳣N�;l,a�V4*2V]鮘FȏwAժsyҽ59i�{
ݙOtHM��Wh:s0Nկ=?o!&w�@"rVJze_R�"3t=jI�o]}<:�$7cY>韐/ !}_w��nr@
i/�],��,Y`M����IpL2T��ch^�ԩS 5'hhV筱J�+҄&
�9B:A`�̺k�R�49�(�8蟉$�m�4�@r5)6B̄H )7R�ަ�,-|y"�b�r�ݠHPs>Χ+foF">��ef"ȅ�Q.%M���
g�|�8J�Ku=ba�pY<8z�Zo֖͉*]X[u5jZl�E?iYwθyn?^OH{⧋vz߆)WI��F4�,h�eݴ�s榣V'c룯Tf~X�}U9-z�Qn�ʼnl�:2X�
jXR7HaQ�_gt�A`�:)ѧ!>RӚM�CqRO#Gs�>H2AG61^�zK
ucb���>'�a�
8�V8;
u�#uә�=��W45(h`G�I
�l"��]�LR}�l��8d
$(s>w[L,)`��VwCP�b�L{��TM`�@#g ,z���C��
�
@�l�߃5�#~[-[�Z6x�O͙A }�]x9-WR��;C/0@|JIIL}NBt�"AђF��)�4� �g�#X"K"'Gs`[X;;�.V+�\y"�*M':ݱ;P+J�d&3,BV-KїPf%i2kl�ƪń(VFN�1|�(0��Vn)5BYQ�fC:ס3#O��߅#a�I4�5+8dp7 �P�ܼ?
b>ȝ 8#��_gM������Y�1�Q)OzBaexʸ**$,T4��pt�j�K�ݼ~h��";hqNNSНB#D9z�Q=/OJb-yhֽ(Uע�o�H_ƠR�.
B[+�Ҟ� K
�r%W��}kaԕ %/D�An6\Z1,c
l,h 20��O�o��\�1�ȢfmD
jrIi��)KJ7VhV;Դj\.gy�-lD0(2n( 鿛R&a+B֨
OaOc�i6�EGn&z�|pf:��g3?'نdp�$D80V�2Pa�BS몶bg`m1Jx>x#�d\4�6L XbOF�#�NW酥kϧ;�Ңw^^Sv˖?XQ>Om �V�U}�=cG�L�mRGM�B�IAʫ�U�f!lX(%UMh?O~�5<2eX]2X>rGmA�utn\I�
Bb2�Q{lJ�w\C8fS=u8M<+1p]v3M�>ҁ�h
0>0Rlʪ�+> 2.izIRϢsG:Lpz�]�{K
uṚ{{k7�÷ �G�L)߭q*�9�WI�P5�]�Uj; s��4!`�\?=bEO�p?n ]�^*~
t9#�T�`| @ �y?�'߾�b[D �m0wLa�V*���7xoA!RēC�cI`� |*ͤce"��nxR*�gF�ccb~f.`Օݷ�K(
-��$P��) WA�h�xa{i12@W�?v~�HIcЧ˾tں>?&L{8;At;� {Hڝg8E ^x�;Yj\.0M��_I_�rH`UuԹhoc0.[�lj2�m&A)��pd�o>{5�ճ2b{:9\;ѳi?`�yA+G~{!\w.ŗ,5?wH;m)u�߽�o= rHpAjw_�'d�0|
s|n]G�6b��`[&IEq=SW5C2�xΰ�;�h`/5g�^�|��\i\5�g0�T
pm7Z��!ΊG0
V�`!���1tOVC� (ʡ��H��R
~tIwu��.V_$�@A�48�XS�(+RJ�"4FYO |�N�g
<�@�9N�hDuPעo9Kj�}J_cNf4��~ ѶP=8Y,lrh縵vI��c~:)}AmN9˝�~H�u(9�o�=�"HlSOkԛ�2L:1D&rޚS�%[BqLӆ'>�eax!wl 8B@ɠSN�SQ(�IZ[`beanKl�x0e�R蔈'=I8
z>RB'Դ5˓4/iY(Eqjhd�ꒈ~�~(h&'ءX�қ�].7'8
$O
kzisq/Ps~%��TgKe֊� p�kP�q<��+�b
;|E?2J[L>Xki-�jշΫ؉��lj9l0��`&(�9+rq�]4_twX�G:Q$�.�sFnt�wÝԎ+^@(NEVp2k�x'��_Y.t0o����_��zϜGoIM2�1B�wynL�xq�f='Fst9�7X�16q�w�v"#(;A�\[5("��Ӱu|S�5L`]E�F<.%g-�;-�!']ry}MZgQ�W�{�O$�tN �FP�=Foq>p]9Qz AC~g}\00;z{w6�"&3�
Cݿw_,v�7*ApC�-3����ӸO6;x4o
:G6�BfP E�V1a+�}k�՛�3.B)@���iq�p~vn�wcJljl�� 41Q�h�p��٦h��
�v��0\��f�>c1�\Z,ג=rL@Jd^I?�x�E
^\U���ĪRg70I�*ZI'^$yҚi�=W?MxE֩�_�Qb9fiYYn#hdP.e�2�nS?�XE�'�K��2њ��VI
Vˏ�W�/apP٢I2!~T#=ڌ,k��JHl%
"w&蛯;J]{.�77�o9_�Ռ���K�h9G{i)
͘a�K.Lrן�$3RMKGJ,T&?sIP��D@mt���Q�G<#O+O.U"<�'|p�KIU%6}t.ߴ�7fJ���5tSA#f6X<=��(CaJ]�;7U*9ǚ ۡ �5A��&o�_b�OAlɵJY7+qmǁ�C�0*��PQ.̀ĒUv)�r6�hn�)_z��e#v(#ח�:9�zj2�F84&M-F��Ah"mI,wm�^ڊ꒢IƳo9
'��'\:w)
/i�oFUs��|5nX�F=A��/�|rlfGF�IY#h�lg�*z�4_�kζ�҈��!�S�;��vḑ �dB���`H�p0�m[uMmU\�Msb�b(0't~6}�/$�>O�l娷Qx*7X"�8z{W�ŕ_[UZD_7w�9ZHl��v���05>�xf�PtC-`S�pk�m
z^ '�>�B�I�$ϸ>kC:sW `v�,5�cC�}1Gq`Q0r@v�{8a��$땢pײ7���K|��I�s̑�,x�Ʀ~%.|i"Ey"]O{oCz7��;��I(gR�?1[jϩ T$��5%TĬq8z��uk�x� ]x�'bIgq�<�45(��ň|)H�ry-gvl�u$~\-�Y$RJGsF#SuN�+R�%��1:R�E��<0��Y�I$i>
9��_qr0φ�>�(b[Hm=@W�ϓ�k,7sW+*H�xO86�d:�qƸ7`�UJ�[O0SĪJy�@B"�Hǻr�oGxyUכ[Uߐ5^�wgHqyY�XXhQa2[)Ckf��AHD@JV!: };Fi�)dh>u���R�EEEEH+U�wƻjU+҅�R�3!'lM%�00h*&|ή3^�̴ܯ<ے nn{0�m0�dQ�q}˝��;`+םq^�
�Gr�?Qckb�;:&f0h^u8�!tGjED�:�lܿX?�İ�ƺ�g��`D�S��)�h>w E5[.c��\Cmg(Ł\_ntU߷g}F��Hͼ@.$i�j ,vś2E��NG�oXoKfߖ�YrDN;-4w6�ViBsym+DZ��*�Z�k);vy�0
IK�6z䖪@\O?FoKfoX�J ;�xWoi��$K`y}7�*ęK-�l�S�!۩9,fER�o�Z!��ߤ�̜m_m�Q(H^uσ�dUokocϊ>wt){ۼRJrOjp,5ɉu��{
z!(d� �Ɨ��kiEI3�Ʊ)�'{d4cT2,,9edf�]�+��H֒�y�Nxtowwv]g��4�ε7
�5OZ z�/E6�r�T_[�L@UlY�@{=61 V'�T,�C$&Hm~�9(�th�51�]_\]A
Q^~FD�"��`n&,kx�zJ2Ko^;C'�ܬDMe-�ܮj=!5&<1ڢ
2�)XroXД�=$}�y m�@k��'0eNOµA*d�8I�Vuק6:F�̽Oe~MD0FK*�j%VC/CyQ�iwqݗǮ5*>5BYQeL�k�#R'��|z`[�g`ҧ�Ekɽv=/'=w�yKjmݷx��a'VNm2J\d9_K>HP)%$7�_�#�}g�a[2@N�
cˡW�%}hپY"�K�+F?)�D$�R7��xo/�5!o�I{m
�>:bә�&'th'&vUZtRtz�T[xb@3B;wdE=/7W3=�a\YrVf�8�h
ͬ{[QZJYva|�D�uv�,=�f�:'g;� ��At~+�|G*_[G�F�zVOz6ވ۳j
�_U�s6�`��4obD))�m2윶FwG#ˠO1h?1ad�R>hueaj+;Y�!kj��|<ҁ�_+qܖ.tf�l�B+��'}wB�}+r�t�7%eZS[�ٓ[J8�G� ��Pm̼ϴDGR�)}o [cb2z�ވ�9�pb�X<��ZaI�m{d7�2[�$}?Z,D1�� &��q}n@~huew=
d#�k�`�3Cߑ?�MVQh,��t8@�!'vq]Q
s��w�FnHs.cl�к�lŧtS�w|1[GB(W�9$#Mt[Ѿp}S�1";9'0�ឩU-�2ȘhD
MQ VHxLɹ���cMN퓔px�XҚ0! ��YC) x��� F$%hD1fHǼ�͈)i=r�61�_�t/J#+&(?-pD�
b{GLƙ;fSZ,�Ws҃���� tQR*k�("*�@���`g*�#��s�n
Q&@Ԕ�͍$�u�~fv�K)
'.X`�u�A"�\2,�Gza~2x
:�R���L�S0zy�6t(QS=1U&����n,nN���� Q2fxlLR
]�4�Bq0hp6A:߰|cm|?뽉e�2'���{x���bRWkJ%z�u���3ʰ�Laԁ{k<���AYUL,��\4W
PR�x����4
V #vFC�dQOb�:��1's;c*grڽ&-rznǣu^y��Oa[+p�ZnQqi}uݹ��31F;�d�6MJrY:2 6Sf�r?`{ͅfU/ys9,4/J>�M`>Xݙ?N�J*Q^�& ƕ^-ӄ-xec2�urr|j%6�N#g5^Lc:�jS#�[}uR��Bjs���@1@C|k{.4#z_m�;�9_KN5_/?n�rʻP)GN/?��sʏx})4>�9��חu
ͳI9)�:9sS�wr+4?r?C�<�>v͋_�_�^�sC�EN/?/r�"?QF/s ?唟AYN?�9�P~S�{3 ?9s w3~]�O7GtAts�U�\W9_�\O���A֗�_S^9SN>�>�oʁor�ڿi�&s$CPʑ�.N�pr+Q�T/ޯ<�4|�sYU�~vïUX^йZ*4*Я#U�w2~62At'u
CFW\=o /dmOu^k8&ֲnq_l Σ�_xi� �+< x�EB+�g�ٔ�@#X{#uO'NW6#�\]M�b}+r>VĘq22#s�"q�ǾJ5Bf�aO@z6&s"X�58SNtw<1 }-,sy˘�!WS;��=��&�n��7��v3}Ia��aAx�`
~iMog,\v�<2kݫ++c+p'k͠~�%k"N^���>>
ߊ�dUl=n{��d4o�q��a� C�1�-0_�VqF`�^u=
�!�:i>a#"2t�x�5ɪ"+uw9
8]�V*r
`"�
*�s>P�`24UF`
Ԋ�z!�J1
=4�`֭tKb(��L"O�ӱw2;fC$We",dƋ&�æʗp^Wv"�H�@0�~Y8P&`!��؞.F^͆$���w�� `1ǤK�4lM�ؒ9N-#E�1N>�@(MZCw�J�Y&5$W�!Z�7߸)ĪG�9Шscwˡ�B�~�22��VH'nнt�Ldp!gB-ҋKl�^@e�D�˺U땄�:~ {f�:aKƘS�DM�KIn�_!�x@ח`�ؼ!�B0BRhfNXw( �8�[]^N�ȇAK�>�o��p�1�q�6`:}�ig�F�`y�SĶ0�N(�!)I´k�:�/§On3EK~I]䎽n]�t Ccjd1Mk��+#�P<�����ՍP�aBv{3 ^l��x$Qd�/I'�;-��#%0uo�O�
챧�4J6 郧rIR�+.Ġ/2>g'4WBMxYU7�M&$rq�;at>]W��`AtN[Q��=$VSPsXOmM\�-2~kτ�xsp��^Ƃ!نI��f[�W1^{�#�E3dƨ4l9��o��h~}ګ�}F垓gg_5�b
Gy&�3@tgQl(VxROc{[/EɅ�KR%KWvl(�xW*Hvx*�DS�2m-(Eǝ.r�};�{�,d/+2bХ�v��HyU/';@"&�!#R.ڐO�F�{)0XP�4�0)��`t��p"��s��S�C@�_D2R*4%NSЌ�xS:xE�y�?ĵ�����M��خ;O�q^'�t#>&�rd{Koڇvr1$+nvG�T
g7>��5'ك|2p6�3`�ܐ}olI
�C_x��r:���Y W�96-[� +"���
�
Km˴1u¥"UXJNR��X,8.� k,_N�Q�w-�9�1�"I6:5yD�t
��] D
�h�ym�x�:" ��B�#VJrX}P?)�
]'[S�ܟ?B��a��҃fFM_�X��(K#
Lwn{9N]RjãōGX�Ǹ[�[)�Iy>p <Щ0T\bսJʶ�)E=b�농\
�Ѩi�pKTVD'n����3^-�7qݼ�3Qa[O_9-�z��0�
�LMkÐpai�#fS�S��3�{߂ �i�xz�X��XC`*F"�w�3u㖗�?~<6Ҝ%!tOY��B*E�w:9\OWzv�Con��3�g�>p7*�Ѡ,jU
z' l5m�26HZ�\ɾR6vFًᷞfSذM�*d.%r�R�⊫+ųiS}*
Cf'ʾ �w�6�6BKslt�6�1�͝�+X*��
|
Network Security & Hardware 
